Researchers hack Gmail app with 92% success rate

Your most trustworthy apps may be at risk. Researchers say they have found a way to hack Gmail apps with a 92 percent success rate.

In a paper being presented Friday at the Usenix cybersecurity conference, the engineers said they also could steal check images from a Chase app with an 83 percent success rate and hack personal information such as address and Social Security numbers from H&R Block (success rate 92 percent), Newegg (86 percent), WebMD (85 percent), Hotels.com (83 percent) and Amazon (48 percent) apps.

Emmanuel Dunand | AFP | Getty Images

Although the paper only covers these seven Android apps, the researchers said their hacks exploit a vulnerability that apps on other operating systems likely share.

"I certainly think the report is credible," cybersecurity analyst Michela Menting said in an email. "If a researcher or a hacker looks hard enough, there will be ways to exploit any number of vectors within an application."

Demo videos show how a hacker could use another phone to monitor the activity on the sensitive apps and grab personal information when entered by the victim.

The hacker would gain access by causing a user to install a seemingly harmless app such as phone wallpaper and expose a newly discovered public side channel that doesn't require privileges. This feature allows processes to share data efficiently and is quite common, since all a phone's downloaded apps interact with one operating system.

"The assumption has always been that these apps can't interfere with each other easily," researcher Zhiyun Qian said in a statement. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."

The other contributors to the paper were Z. Morley Mao, associate professor at the University of Michigan, and Qi Alfred Chen, a Ph.D., student working with Mao. Qian, a recent doctoral graduate from Mao's group, is a professor at the University of California, Riverside.

The researchers said they had only a 48 percent success with the Amazon app because it allows transition from one activity to almost any other, increasing the difficulty of guessing what the user is doing and finding the exact moment to steal data.

Representatives of Chase and WebMD said the issue was an operating system vulnerability rather than an app problem. Newegg.com said the study shows the need for "everyone in the mobile space to work together to ensure security."

H&R Block's Gene King said there was no indication that any client data had been compromised. "H&R Block takes privacy and security very seriously, and we are in contact with appropriate parties to address these reports," King said.

The other companies in the study did not immediately respond to CNBC requests for comment.

However, some smartphone experts didn't find the report a great concern.

"It was interesting in a theoretical sense, but a lot of things have to happen there for it to be a practical hack," Android Central Editor-in-Chief Phil Nickinson said via Twitter.

Menting, an analyst at ABI Research, said the level of technical knowledge required for the attacks would probably prevent widespread use of the hack method.

After a high-profile breach of credit card data at Target late last year, reports of cybersecurity attacks on companies and government agencies have been on the rise recently.

"As secure as we thought we were a year or two ago, we're seeing another wave across app platforms everywhere," said Brian Blair, analyst at Rosenblatt Securities. "We're going to have to have app developers create a layer of new security. There's not much I see consumers can do. We have to wait for all companies that store our info to upgrade."

He added that consumers will probably start looking more into state-of-the-art identification protection services.

"Users should be cautious and only download apps from trusted sources—big, popular apps are hacker magnets," he said in an email. "Do a routine check of your smartphone and tablet, especially if you have little ones using the device, to ensure only apps that can be trusted are the only ones installed. Immediately uninstall apps that appear to be from unknown sources or are not necessary."